Cybersecurity is focus of new bills

House lawmakers have returned from the August recess resolved to fight the nation’s cyber adversaries with a flurry of new legislative proposals aiming to boost security of public and private networks and infrastructure.

Key House members are readying a series of bills that address a variety of issues — from toughening law enforcement of cybercrimes to giving the Department of Homeland Security oversight of federal IT and critical infrastructure security to lessening liability for private companies that adopt cybersecurity best practices.

Story Continued Below

“The House is coming at the problem with a series of small steps,” said Alan Paller, director of cybersecurity research at the SANS Institute, a nonprofit research and education organization. “This reflects that a lot of members on the Hill see this as an issue that’s important to constituents.”

By contrast, the Senate is continuing to pursue a comprehensive cybersecurity bill with several committees working to hammer out one piece of legislation.

The House has chosen a different approach favoring piecemeal legislation to respond to the growing rash of cyberattacks against private companies — from Google to Sony to Epsilon — and government.

Rep. Dan Lungren (R-Calif.), chairman of the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, has been circulating a draft discussion bill to industry that aims to clarify the Department of Homeland Security’s authority to manage the security of federal IT and critical infrastructure systems. This was a top initiative outlined in the cybersecurity legislative proposal released by the White House this spring.

According to the draft obtained by POLITICO, the Lungren bill would create a U.S. Computer Emergency Response Team within DHS that is responsible for protecting federal and critical infrastructure systems, such as coordinating the response to cyberincidents, facilitating information sharing between the public and private sector and disseminating information about cyberthreats.

The bill would also create a nonprofit organization — called the National Information Security Organization — managed by the DHS secretary that would “serve as a national clearinghouse for the exchange of cyberthreat information” among the federal government, operators of critical infrastructure, state and local governments and the private sector.

As the bill stands now, the organization would have a board of directors comprising a representative from DHS, three representatives from different federal agencies that deal with cybersecurity and five representatives from the private sector that operate networks or facilities that have been deemed “critical infrastructure” — such as energy, water and communications networks.

Lungren’s office did not respond to requests for comment.

Meanwhile, the House Cybersecurity Task Force, led by Rep. Mac Thornberry (R-Texas), plans to continue compiling recommendations for GOP leadership on cyber issues and legislation. The task force is crafting a report that it aims to finish at end of the month and will meet with House Speaker John Boehner to discuss the recommendations, Thornberry said.

It’s unclear how Boehner will proceed after he receives the task force’s feedback.

“He left it to us when it comes to developing a framework that makes sense for House Republicans. What he does from there, I don’t know,” Thornberry said.

Other key Republicans are following up on private-sector concerns about potential federal cybersecurity laws.

Rep. Bob Goodlatte (R-Va.), a member of the Cybersecurity Task Force and the Judiciary Committee, has signaled to industry that his office may be cooking up legislation that would provide liability protection for companies that adopt advanced cybersecurity best practices. Goodlatte staffers have also discussed amending the Racketeering Influenced and Corrupt Organizations Act so that cybercriminals and hackers are covered under the law, which might make it easier to convict them.

An aide in Goodlatte’s office confirmed that the Virginia Republican is looking into those two cyber-related areas but is also examining other legislative avenues on cybersecurity. At this point, Goodlatte does not have firm plans for introducing a bill.

“He’s looking at all the ways he can be productive here,” the aide said. “We’re exploring all of our options at this point and having meetings with industry on how to treat cybersecurity.”

Enabling authorities to use the RICO Act to prosecute cybercrime is appealing to certain members of the Senate, too.

Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) held a hearing Wednesday that examined updating the Computer Fraud and Abuse Act so cybercriminals face stiffer punishments. Leahy said the committee will consider the Obama administration’s proposals to give law enforcement new legal tools to crack down on hackers during the markup of his legislation on data privacy and security on Thursday. At Wednesday’s hearing, Associate Deputy Attorney General James Baker from the Justice Department stressed to the committee that updating RICO was imperative so cybercriminals are held liable for their malicious acts and taken to court.

This spring, the Obama administration delivered a set of widely anticipated legislative proposals to Congress that aimed to boost the security of the federal government’s networks and computer systems, as well as the infrastructure the nation depends on to function, such as water facilities and transportation systems. One of the top proposals in the White House plan called for formalizing DHS’s role in managing security of the federal government’s systems and critical infrastructure. It also recommended for the agency to work closely with the private sector to facilitate information sharing about cyberthreats and develop a framework of security standards tailored to each industry.